Cracking DES Cryptosystem

A cryptosystem is made of these parts:

• Two parties who want to communicate over an insecure channel

• An encryption algorithm that transforms the plaintext into ciphertext

• A decryption algorithm that reverses the process

Cracking DES Cryptosystem

• A good electronic cryptosystem should only be vulnerable to brute-force attacks that are computationally infeasible

• A given implementation, or other details not handled by the cryptosystem, may introduce weaknesses

• Can allow a more sophisticated variant of a brute-force algorithm

Overview of DES Cryptosystem

• DES is the US Federal Data Encryption Standard, dating from 1977

• Developed by the NSA under the aegis of the NIST (NBS)

• 56-bit symmetric cipher, based on two parties (Alice and Bob) having a shared key

Outline of DES Cryptosystem

• The plaintext, a string of length 64 bits, is transformed with a fixed Initial Permutation

• 16 iterations (or rounds) of a function are computed. This involves parts of the transformed plaintext, parts of the secret (the shared key), other fixed functions (permutations and expansions), and the XOR operation

• The final string is given an Inverse Permutation

Outline of DES Cryptosystem

• The decryption process is the same as the encryption process, with all steps performed in reverse order

• The decryptor is, or should be, the only other possessor of the shared key

• Since the only mathematical operation is XOR, this is very fast in a dedicated hardware implementation

Details of DES Cryptosystem• The heart of DES is the function

performed for 16 iterations• It contains a non-linear substitution

algorithm, defined by eight fixed shift registers (S-boxes)

• The S-boxes juggle 6 XOR’ed bits from the permuted plaintext and the key for that round

• Changing one input bit changes at least two output bits

An S-Box: S1

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8

4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

Input String

010101

Binary Row Binary Column S-Box output value

Dec:12Bin: 1100

Input String

010100

Binary Row Binary Column S-Box output value

Dec:6Bin: 0110

That’s enough DES details

• Really

• Here’s a puppy

Greta

Difficulties in Cracking DES

• DES is a moderately strong cipher

• 256 possible keys

• Unsophisticated brute-force algorithm average case : 255 operations

• 36,028,797,018,963,968 operations

• Wouldn’t it be nice to be able to cheat?

Cracking DES

There a few things that make a smart brute-force approach computationally feasible:

• Parallelizable

• Fast in hardware

• Plaintext recognizer circuitry

These factors help weed out many keys quickly

Parallelizable

• Testing one candidate key does not depend on testing other keys

• Divide and Conquer – if you have n DES-cracking units, each unit gets 1/n of the potential key-space

• The time to crack also gets divided by n

Fast in hardware

• DES only consists of permutations, shifts, and XOR operations

• Speed of actual custom-built search unit – it can do one decryption in 16 clock cycles

• 2.5 million keys per second at 40 MHz

Plaintext recognizer

An attacker needs to define criteria about the plaintext:

• This is what flags a candidate plaintext

• Configurable in controlling software

• ASCII text is easiest – you know the high bit of any given byte will always be zero

Details of a DeepCrack chip

• 24 search units on a chip

• Each search unit takes 2 8-byte blocks of ciphertext and a potential key

• If the first decrypted block is not “interesting”, the search unit increments the key and tries the block again

• If the first block is “interesting”, then the second block is tried with the same key

What’s “interesting?”

• Each chip is initialized with a plaintext recognizer: a lookup table defining which of 256 permutations of a byte are interesting

• A standard email will be numbers, letters, and a few punctuation marks

• Easy for ASCII – may grow more difficult if Unicode sees more adoption

Controlling software

• The DES cracker is initialized and monitored by a standard PC

• It defines the plaintext lookup table, restarts search units after “interesting” results, and records the “interesting” values for further examination

Putting a DES cracker together

• 24 search units in a chip

• 64 chips on a VMEbus board

• 12 boards to a chassis

• Two chassis cost $210,000 as the first-run prototype built by the EFF in 1997

• Could check 92,160,000,000 keys per second

• Average case: 4.524 days

Securing against this attack

• This technique is dependent on the plaintext (ASCII, etc.) and on the speed of hardware

• It does not make any given n-bit encryption algorithm feasible– it just makes this one easier.

• Triple-DES is a 112-bit cipher – this machine can’t come close

Greta again

Bibliography

Diffie, Whitfield. Privacy on the Line. Cambridge, Massachusetts: The MIT Press, 1998

Stinson, Douglas. Cryptography: Theory and Practice. New York: CRC Press, 1995

Electronic Frontier Foundation. Cracking DES. O’Reilly and Associates, 1998. Primarily a public domain publication